Ask HN: Dropbox security bug?

5 points

14 years ago

I had always thought that my Dropbox shared folders required an invitation, to see the files, or at least I could copy the invitation link and send it directly to someone, who would then have to register to see the folder and files.

But no, apparently if I send a link to a folder ("Copy link to this folder"), they can go straight in and download anything they like without having to register at all. I'm not talking about the files in the Public folder which I never use. It's a private folder.

This couldn't be more clear from the Web site dox:

"Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone."

If they get hold of the link they don't have to be deliberately invited. Try it and let me know.

https://www.dropbox.com/sh/hp1cxs474rm5fpn/PadV8OneIS

I tried this link from another user on a clean browser on my Mac, and it allowed me straight in. Now, I know I have DropBox running on my user, but surely it should still prevent me from seeing these files if I hadn't registered. I haven't had the opportunity to try it on someone else's machine yet - hence this post...

If this is the case then my folder is not secure, and worse I don't have any idea who has access to it.

Maybe I'm missing something, maybe it performs "as designed", but I don't like this - and I don't think its clear for the user either.

10 comments